Welcome to the new design! Please report any bugs or issues, thanks :)
Web Dev + WordPress + Security

Blacklist Candidate 2012-11-13: Evil Scanner Edition

[ Blacklist Candidate Props ] It’s been awhile since I’ve posted one of my Blacklist Candidate series articles. It’s always fun for me to talk (or write) about security related issues, especially when a quick slab of .htaccess can be used to take care of business. And that’s exactly what we have in this edition of the series, where I’m pleased to bring you Blacklist Candidate Number 2012-11-13: the “evil” scanner. Instead of scanning your site, collecting data, and moving on, Mr. 2012-11-13 continues to scan the same sites for the exact same set of files. And by “continues” I mean over and over and over and over again..

It went from, “hmm, what have we here” to “alright dude, you’ve already tried those requests,” and then eventually to “sheesh, what an douche bag,” and finally to “come on down, you’re the next knuckle-dragging buffoon to get blacklisted from the site.” And so, in classic Blacklist-candidate style, let’s snuff this latest wave of evil server scanning asap.

Synopsis

It’s pretty basic really, something out there is looking for open doors on an unknown set of websites. They’re hitting some of my larger WordPress sites and that’s really all I know. Hopefully others reading can confirm or deny presence of this activity in their access logs. One reason to suspect it’s more widespread is that the requested URLs target a variety of different CMSs, as we’ll see here in moment.

The scan itself is always the same, probing for registration forms, signup forms, join forms, and similar with URLs including these:

http://example.com/register.php
http://example.com/user/register
http://example.com/signup.php
http://example.com/signup

http://example.com/member/join.php
http://example.com/tiki-register.php
http://example.com/ucp.php?mode=register
http://example.com/tools/quicklogin.one

http://example.com/join.php
http://example.com/YaBB.cgi/
http://example.com//WHMCS
http://example.com/{$itemURL}

These are just a handful of examples from the scan, but should give you a good idea of what to look for in your logs. They’re actually quite benign-looking on the surface, but something out there wants IN to your site, and apparently has a reason to check for these particular types of files.

Discussion

It is sad that Mr. 2012-11-13 doesn’t know how to collect data and then use it to save time and resources by eliminating redundancy and optimizing results. Nope. Instead you’ve got some greasy man-back crawling around with his $199 bargain scanner script and just letting it rip. Over and over and over and over, the same script hitting the same sites looking for the same files that didn’t exist last time, or the time before that or that or that ad nauseam. I could go on myself, but I think you get the picture.

On a different note, most the URLs being requested in this scan qualify initially as legitimate 404 errors. That is, there is every likelihood that I could have a join.php file somewhere or that someone could have linked to such a file, even though it doesn’t actually exist. And each scan seems to use a different set of IP addresses, so if let run only once per site would be a very stealth scan. But no, sadly that’s not the case. Someone’s hoping really hard that I decide to add some of those files to my site.

Identification

So who is this evil-scanning scumbag? Probably some sweet little white-haired old lady like my grandma who turned at once to a life of cybercrime after watching the 1,000th rerun of the Price is Right. As mentioned, the IPs associated with the requests suggest a clear pattern, but seem otherwise dynamic enough that blocking by IP is not gonna be worthwhile in this case.

The most recent user-agent to be reported with the scan is Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;), which to me is too similar to legit browsers to serve as a reliably detectable pattern. So to block this scanning moron we need something a little more consistent, like the URL-requests themselves. And they’re reliable too, even now bouncing off my newly placed mini firewall, which happens to work great with the 5G Blacklist.

Blacklist the fool

Alright, so I’ve had enough of this relentless scanner and it’s time to roll out the red carpet.. straight to the CURB. Here is the tasty slab of .htaccess goodness that works great with the 5G:

# mini firewall 2012-11-13
<IfModule mod_alias.c>
	RedirectMatch 403 /(\{\$itemURL\}|administrator|blogs/load/recent|default|register|signup|tools/quicklogin\.one|undefined|WHMCS|YaBB\.cgi|YaBB\.pl)/?$
	RedirectMatch 403 /(curltest|join|join_form|member/join|mobiquo|register|signup|tiki-register|ucp)\.php$
</IfModule>

Note that if registration is open on your site, run a test registration to verify that everything works. If not, please report with a comment so modifications can be made. Thanks.

So to implement this mini-firewall, just add that slice of code to your site’s root .htaccess file (or server config file) and say goodbye to this edition’s Blacklist Candidate and his relentless scanning. Thanks Mr. 2012-11-13, we couldn’t have done it without you!

Jeff Starr
About the Author
Jeff Starr = Creative thinker. Passionate about free and open Web.
WP Themes In Depth: Build and sell awesome WordPress themes.

5 responses to “Blacklist Candidate 2012-11-13: Evil Scanner Edition”

  1. Michael Clark 2012/11/14 2:06 pm

    What good does it do to return a 403? By returning “forbidden” aren’t you implying that the resource exists? Wouldn’t it be “better” to return an entirely blank page? Or how about a custom 404 page devoid of content. Then the attacker’s log wills how the resource doesn’t exist, and your server isn’t wasting any system resources sending useless info back to the attacker.

    • Jeff Starr
      Jeff Starr 2012/11/14 2:15 pm

      Great point, and 400 “bad request” would also work. I enjoy sending the 403 “Forbidden” because it makes me feel good.

  2. Tri Wahyudi 2012/12/13 12:01 am

    Thanks for the information provided useful. I always look forward to the latest articles from you, especially those associated with htaccess :). I look forward newest 6G firewall :d

    When I search for articles related to the safety of using Htaccess with the language of my country, namely Indonesian, hard to find. Finally I found a blog that discusses about Htaccess in English, one of which is that I found your blog :)

    Sorry if the english vocabulary I use messy :)

  3. Christopher 2013/02/20 12:56 pm

    Thanks for the good info. I noticed a similar scanning pattern showing in my Apache logs and was curious about it.

  4. rhakateza 2013/06/24 6:13 pm

    recently a had attacked by strange query whos looking for register form, and they successfully take over my website. But it before I read your htaccess trick. Thank a lot

Comments are closed for this post. Something to add? Let me know.
Welcome
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
The Tao of WordPress: Master the art of WordPress.
Thoughts
What's up with Plesk UI lately? Especially on Chrome it looks just awful, all kinds of broken. Come on Plesk devs get it together.
Things get stressful, I try to pray. Not always easy, but always helps to relax and regain focus.
Nice new speed checker at fastorslow.com.
Easy way to exclude certain tests from WP Site Health: Site Health Tool Manager
Excellent (and free) tool for getting tons of site SSL infos: whynopadlock.com
Everyone just stay home and hide forever. Brilliant idea.
Playing with Microsoft Edge browser on macOS. It's like 1998 all over again.